Mozilla Foundation Security Advisory 2006-38

Buffer overflow in crypto.signText()

Description

Mikolaj Habryn discovered an array index bug in crypto.signText() that
results in overflowing an allocated array of pointers by two when optional
Certificate Authority name arguments are passed in.

Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in mail. This is not
the default setting and we strongly discourage users from running
JavaScript in mail.